Author Archive - Karl Dominguez (Threat Response Engineer)

A couple of days ago, my colleagues reported an attack that appears to be targeted and that involves email messages sent through a Webmail service. Upon further investigation, we were able to confirm that this attack exploits a previously unpatched vulnerability in Hotmail. Trend Micro detects the malicious email messages as HTML_AGENT.SMJ.

The said attack simply requires the targeted user to open the specially crafted email message, which automatically executes the embedded script. This then leads to the theft of critical information, specifically email messages and information about the affected user’s personal contacts. The stolen email messages may contain sensitive information that cybercriminals can use for various malicious routines.

The script connects to http://www.{BLOCKED}eofpublic.com/Microsoft.MSN.hotmail/mail/rdm/rdm.asp?a={user account name}{number} to download yet another script.

The nature of the said URL strongly suggests that the attack is targeted. The URL contains two variables—{user account name}, which is the target user’s Hotmail ID, and {number}, which is a predefined number set by the attacker. The number seems to determine the malicious payload that will be executed, as we’ve found that the information theft routines are only executed when certain numbers are in the {number} field.

The URL leads to another script detected by Trend Micro as JS_AGENT.SMJ. The script triggers a request that is sent to the Hotmail server. The said request sends all of the affected user’s email messages to certain email addresses. The email message forwarding, however, will only work during the session wherein the script was executed and will stop once the user logs off.

The attack takes advantage of a script or a CSS filtering mechanism bug in Hotmail (CVE-2011-1252). Microsoft has already taken action and has updated Hotmail to fix the said bug.

I recently posted an entry about Trojanized applications that were found in the Android Market. About 50 repackaged versions of legitimate apps were pulled from the Android Market after being found infected with AndroidOS_LOTOOR.A. AndroidOS_LOTOOR.A steals mobile device information as well as gives unauthorized users root access to an infected device.

As course of action, Google pulled the applications from the Android Market, remotely removed the Trojanized apps from users’ devices, and deployed the Android Market Security Tool—a tool that reverses the modifications done by AndroidOS_LOTOOR.A and prevents the device from sending out device information.

Of course, what must come along but a Trojanized version of the very same application that Google released to protect users from Trojanized applications. While the legitimate application prevents information theft, AndroidOS_BGSERV.A does the opposite. It acts as a backdoor application that gathers device information and sends this to a remote URL. It also keeps a log of its routines, which it then sends to the same URL, enabling its proponents to keep track of its activities. The Trojanized application also performs functions and actions without the user’s authorization. These routines include modifying call logs, intercepting or monitoring messages, and downloading videos.

Mobile threats are reaching new heights today and the Android platform is becoming a favorite of attackers. Google made the Android platform as “open” as possible and released application development documentations, source codes, and SDKs for anyone to see. Becoming an Android developer is quite easy—one just needs to pay a US$25 registration fee and he/she is set and can upload applications to the Android Market.

Google trusts the community of developers and users to rate an application or flag it as “malicious.” This was supposed to encourage programmers to develop applications that will in turn attract people to purchase Android smartphones since numerous applications are available.

However, this openness also attracted cybercriminals, as Android’s popularity has become a perfect opportunity for them to profit. As we have seen with the first Android malware, cybercriminals Trojanized legitimate applications and uploaded the new packages to third-party markets, hoping users will download these. Trojanizing legitimate apps became a norm in the Android platform landscape and the best advice (seemingly) is to download only from trusted sites and, of course, from the Android Market.

Yet cybercriminals seemed to have gotten away with uploading a number of Trojanized applications which Trend Micro detects as AndroidOS_LOTOOR.A.

The malicious .RTF files have shell codes designed to overflow the stack and to cause Microsoft Word to crash. As a result, malicious users can execute arbitrary commands on an affected system.

From the screenshot above, we can see that the malware employed a (NOP) sled to overflow the buffer and to execute codes in the context of Microsoft Word. The malware we encountered dropped another malicious file detected as TROJ_INJECT.ART.

One of the more serious concerns is that a malicious user could send an RTF email to target users. Since Microsoft Outlook uses Word to handle email messages, the mere act of opening or viewing specially crafted messages in the reading pane may cause the exploit code to execute.

Microsoft already released an update to address the said vulnerability. Users are strongly advised to download and install the patch, which can be found in the official bulletin MS10-087. This was issued as part of November’s Patch Tuesday.

As ZeuS draws the industry’s attention, a new spyware silently but successfully entered the cybercrime scene. CARBERP, as indicated in initial reports, is a new Trojan family that might have been created to challenge the already dominant ZeuS.

TROJ_CARBERP.A uses an ingenious technique to avoid detection. This malware deliberately drops a copy of itself and its component files in directories that do not require administrator privileges, effectively defeating Windows 7 and Vista’s User Account Control (UAC) feature. As such, its routines are not detected in newer Windows OS versions. More specifically, it drops files into the Startup and Application Data folders but neither creates nor modifies registry entries. Since files dropped in the Startup folder can easily be spotted even by novice users, CARBERP hooks two APIs to hide itself, its thread in Explorer.exe, and its component files.

Apart from its stealth tactics, the real danger that CARBERP brings is that it hooks network APIs in WININET.DLL to monitor browsing activities on the affected system. Furthermore, it contacts its C&C server to download a possible configuration file, to send a list of processes running in the affected system, and to receive arbitrary commands. These capabilities can enable the cybercriminals behind this malware to steal virtually any information they wish to get their hands on.

As of this writing, CARBERP connects to already inaccessible websites and, as such, fails to perform its intended routine. TrendLabs engineers will continue monitoring this emerging malware family and will post updates as more information is obtained.